Restic Encrypted Backup Setup Guide

Last updated: March 21, 2026

3d8f2a1b 2026-03-21 02:00:00 myhost /home/user c7e9f4d2 2026-03-20 02:00:00 myhost /home/user

Browse files inside a snapshot:

```bash
restic -r /mnt/backup/restic-repo ls 3d8f2a1b

Mount a snapshot as a filesystem:

mkdir /tmp/restic-mount
restic -r /mnt/backup/restic-repo mount /tmp/restic-mount
ls /tmp/restic-mount/snapshots/latest/

Mounting is useful for browsing old versions of files without committing to a full restore. It requires FUSE on Linux (fuse package) and macOS (macFUSE).

Step 9 - Restore Files

Restore a single file or directory from the latest snapshot:

restic -r /mnt/backup/restic-repo restore latest --target /tmp/restore --include /home/user/Documents/important.pdf

Restore an entire snapshot:

restic -r /mnt/backup/restic-repo restore latest --target /tmp/full-restore

Restore to the original path (overwrites existing files):

restic -r /mnt/backup/restic-repo restore latest --target /

Test your restore process at least quarterly. A backup you have never tested is a backup you cannot trust. A practical habit: once a month, restore a random file from a 30-day-old snapshot and verify its contents.

Step 10 - Snapshot Retention Policy

Keeping every snapshot forever wastes storage. Set a retention policy:

restic -r /mnt/backup/restic-repo forget \
 --keep-daily 7 \
 --keep-weekly 4 \
 --keep-monthly 6 \
 --prune

This keeps:

The last 7 daily snapshots
4 weekly snapshots
6 monthly snapshots
Removes data no longer referenced by any kept snapshot (--prune)

For compliance with data retention regulations (GDPR, HIPAA, SOC 2), adjust these numbers to match your requirements. GDPR’s right to erasure applies to backups too. if you delete a user’s data from production and need to honor an erasure request, your backup policy must account for this. Short retention windows (30, 90 days) reduce the window where deleted data persists in backups.

Step 11 - Automate with systemd

Create a systemd service:

sudo nano /etc/systemd/system/restic-backup.service

[Unit]
Description=Restic Backup
After=network.target

[Service]
Type=oneshot
User=youruser
Environment=RESTIC_REPOSITORY=/mnt/backup/restic-repo
Environment=RESTIC_PASSWORD_FILE=/home/youruser/.restic-password
ExecStart=/usr/bin/restic backup /home/youruser --exclude-file=/home/youruser/.restic-excludes
ExecStartPost=/usr/bin/restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune

Create a timer:

sudo nano /etc/systemd/system/restic-backup.timer

[Unit]
Description=Run Restic Backup Daily

[Timer]
OnCalendar=daily
Persistent=true
RandomizedDelaySec=1h

[Install]
WantedBy=timers.target

Enable:

sudo systemctl daemon-reload
sudo systemctl enable --now restic-backup.timer

Check timer status:

systemctl list-timers restic-backup.timer

RandomizedDelaySec=1h spreads backup start times across a hour window, which prevents thundering-herd issues if you run the same timer on many machines.

Step 12 - Alerting on Backup Failures

Silent backup failures are worse than no backups at all. you discover the problem only when you need to restore. Add failure alerting to the service:

[Service]
...
OnFailure=notify-backup-failure@%n.service

Or use Healthchecks.io (a free, open-source compatible service):

Add to ExecStart sequence. ping on success
ExecStartPost=/usr/bin/curl -fsS --retry 3 https://hc-ping.com/YOUR-UUID

If the ping does not arrive, Healthchecks.io sends you an email or webhook alert. This pattern works with restic running in any environment. local, VPS, or container.

Step 13 - Verify Repository Integrity

Run this regularly to detect data corruption:

restic -r /mnt/backup/restic-repo check

For a full data verification (reads all pack files):

restic -r /mnt/backup/restic-repo check --read-data

This is slow on large repos but confirms backup integrity end to end.

A lighter approach for large repositories: use --read-data-subset=5% to sample 5% of pack files on each run. Rotate the subset over weeks to get full coverage without a single long-running check.

Step 14 - Rotate Keys

To change the repository password:

restic -r /mnt/backup/restic-repo key passwd

List all keys associated with the repo:

restic -r /mnt/backup/restic-repo key list

Remove an old key by its ID:

restic -r /mnt/backup/restic-repo key remove <key-id>

Rotate your repository password annually or whenever a credential is exposed. After rotation, the old password no longer decrypts any data. but the existing snapshots remain accessible with the new password.

Troubleshooting

Configuration changes not taking effect

Restart the relevant service or application after making changes. Some settings require a full system reboot. Verify the configuration file path is correct and the syntax is valid.

Permission denied errors

Run the command with sudo for system-level operations, or check that your user account has the necessary permissions. On macOS, you may need to grant terminal access in System Settings > Privacy & Security.

Connection or network-related failures

Check your internet connection and firewall settings. If using a VPN, try disconnecting temporarily to isolate the issue. Verify that the target server or service is accessible from your network.

Frequently Asked Questions

Can restic back up to multiple destinations simultaneously? Not natively. Run two separate backup commands pointing to two different repositories, or use a wrapper script. Backing up to two independent locations (local + cloud, or two different cloud providers) is strongly recommended for resilience.

What happens if I lose my password? The data is permanently unrecoverable. Restic’s encryption is intentional and complete. there is no backdoor, no recovery key, no support ticket you can file. Store the password in a password manager and keep an offline copy (printed or on an encrypted USB drive you store separately from the backup media).

Does restic support Windows? Yes. The binary works on Windows natively. Use Task Scheduler instead of systemd for automation. The password file approach and environment variables work the same way.

How does restic compare to Borg Backup? Both are excellent. Borg has faster deduplication and is slightly more efficient for large repos, but only supports Linux/macOS natively. Restic supports Windows and has broader storage backend support. For cross-platform environments, restic is the safer choice.